CVE-2023-46747

CVE-2023-46747 is a critical-severity vulnerability in F5 Big-ip Access Policy Manager with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-10-31). The underlying weakness is classified as CWE-306.

Key facts

Description

Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVE-2023-46747: F5 BIG-IP TMUI Authentication Bypass Leading to Remote Command Execution

AI-generated analysis based on the vulnerability data on this page.

| CVE | CVE-2023-46747 |
| Severity | CVSS 3.1 9.8 (Critical) |
| CWE | CWE-306 (Missing Authentication for Critical Function) |
| EPSS | 0.96515 (99.87th percentile) |
| KEV | Listed 2023-10-31 |
| Ransomware | Confirmed |
| Published | 2023-10-26 |

Summary

F5 BIG-IP systems are affected by a critical authentication bypass vulnerability in the configuration utility (TMUI). An attacker with network access to the BIG-IP management port or self IP addresses can send undisclosed requests that bypass authentication, resulting in arbitrary system command execution.

Background

F5 BIG-IP is a widely deployed family of application delivery controllers and security modules. The configuration utility—also known as the Traffic Management User Interface (TMUI)—provides a web-based management interface for device configuration, monitoring, and troubleshooting. Because TMUI is often exposed to internal networks or the internet for remote management, it represents a high-value attack surface.

Root Cause

The root cause is classified as CWE-306: Missing Authentication for Critical Function. The affected configuration utility fails to enforce authentication on certain undisclosed requests, allowing an unauthenticated attacker to reach administrative functionality and execute arbitrary system commands. Public exploit material referenced by the Packetstorm advisory (see References) ties this issue to AJP request smuggling.

Impact

The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 9.8 (Critical).

  • Confidentiality: High — an attacker can read sensitive configuration files, certificates, and session data.
  • Integrity: High — an attacker can modify system configurations, install backdoors, or alter traffic policies.
  • Availability: High — an attacker can crash services, delete resources, or disrupt traffic delivery.

Because the attack requires no privileges and no user interaction, it is trivially exploitable over the network. The high EPSS score (0.96515) and inclusion in CISA's Known Exploited Vulnerabilities catalog confirm that this vulnerability is actively exploited in the wild, including by ransomware operators.

Exploitation Walkthrough

Ethics caveat: This section is provided for defensive and detection purposes only. The objective is to help defenders understand how the attack is structured so they can build effective controls. Do not attempt to use this information against systems you do not own or have explicit authorization to test.

At a high level, exploitation proceeds as follows:

  1. Reconnaissance: The attacker identifies a BIG-IP system exposing TMUI on the management port or a self IP address.
  2. AJP Smuggling: The attacker sends a malformed request that is reinterpreted as an AJP request by the backend. The Packetstorm reference material indicates this is related to AJP request smuggling.
  3. Authentication Bypass: The smuggled request carries attributes that cause the backend to treat the request as internally authenticated, bypassing the normal login requirement.
  4. Command Execution: With administrative access, the attacker can reach utility endpoints to execute arbitrary system commands with elevated privileges.
  5. Post-Exploitation: The attacker may extract credentials, modify virtual server configurations, pivot to internal networks, or deploy persistence mechanisms.

Affected and Patched Versions

The following F5 BIG-IP modules and products are listed as vulnerable in the source data:

  • BIG-IP Access Policy Manager
  • BIG-IP Advanced Firewall Manager
  • BIG-IP Advanced Web Application Firewall
  • BIG-IP Carrier-Grade NAT
  • BIG-IP DDoS Hybrid Defender
  • BIG-IP SSL Orchestrator
  • BIG-IP Domain Name System
  • BIG-IP Local Traffic Manager
  • BIG-IP Policy Enforcement Manager
  • BIG-IP Automation Toolchain
  • BIG-IP Container Ingress Services
  • BIG-IP Application Security Manager
  • BIG-IP Analytics
  • BIG-IP Application Acceleration Manager
  • BIG-IP Application Visibility and Reporting
  • BIG-IP Fraud Protection Services
  • BIG-IP Global Traffic Manager
  • BIG-IP Link Controller
  • BIG-IP WebAccelerator
  • BIG-IP WebSafe

Specific patched version ranges were not provided in the source data. Administrators should consult F5's official advisory (K000137353) to determine whether their installed versions are affected and to obtain the latest hotfixes.

Remediation

  1. Upgrade: Apply the latest patched version or hotfix from F5 as documented in the official advisory.
  2. Restrict Access: Block network access to the BIG-IP management interface and self IP addresses from untrusted networks. Use a dedicated, jump-host-only management network.
  3. Disable Management on Self IPs: If management access via self IP addresses is not required, disable it to reduce the attack surface.
  4. Compensating Controls: Deploy an upstream web application firewall (WAF) with strict request normalization rules to detect anomalous request patterns.
  5. Monitoring: Ensure the BIG-IP system is monitored for unauthorized access to administrative functionality and REST endpoints.

Detection

  • Network: Monitor for anomalous traffic to the management interface, including requests that may contain AJP-like markers or unexpected protocol transitions.
  • Logs: Review TMUI and REST API access logs for unauthenticated requests to administrative endpoints from unexpected source IPs.
  • Endpoint: Look for unauthorized bash or tmsh process execution, especially from the web server context. Check for unusual file writes in temporary directories.
  • Integrity: Monitor system configuration files and virtual server policies for unauthorized changes after the publication date (2023-10-26).

Assessment

  • Exploitation likelihood: Extremely high. With an EPSS of 0.96515 and active KEV listing since 2023-10-31, this vulnerability is being actively exploited by threat actors, including ransomware groups.
  • Business impact: Severe. BIG-IP devices often sit at the network edge; compromise can lead to full network infiltration, data breach, or service outage.
  • Lessons:
    1. Segment management interfaces: Management interfaces should never be reachable from general-purpose networks. A management VLAN or out-of-band network would have dramatically reduced exposure to this flaw.
    2. Protocol hygiene: The presence of dual-protocol handling on the same path is a known anti-pattern. Teams should audit their application stacks for multiple protocol listeners and remove or strictly isolate them.

References

Frequently asked questions

What is CVE-2023-46747?
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
How severe is CVE-2023-46747?
CVE-2023-46747 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-46747 being actively exploited?
Yes. CVE-2023-46747 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-10-31, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-46747?
CVE-2023-46747 primarily affects F5 Big-ip Access Policy Manager. In total, 20 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-46747?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-46747 have an EU (EUVD) identifier?
Yes. CVE-2023-46747 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-50916. It is also flagged as exploited in the EUVD (since 2023-10-31).
When was CVE-2023-46747 published?
CVE-2023-46747 was published on 2023-10-26 and last updated on 2026-06-17.

References

Affected products (20)

More vulnerabilities in F5 Big-ip Access Policy Manager

All CVEs affecting F5 Big-ip Access Policy Manager →

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →